Onboarding to Defender for Endpoint vs Enabling/onboarding EDR

Question

I have a task to onboard devices to Defender for Endpoint, and enable EDR. The documentation seems comprehensive, but in some places I feel the wording and references are not consistent.

The Plan Deployment instructions [1] indicate that deployment (onboarding) method (Step 2) is distinct to configuring capabilities (Step 3), of which "Endpoint detection and response" is listed as a capability.
The Deployment phases instructions [2] indicate the same (under "In Scope", enabling EDR followed onboarding).
Onboarding overview [3] indicates that configuration of EDR capabilities follows onboarding, and links to EDR overview [4]. In that entire documentation section, I cannot see anything else that needs to be configured to enable EDR capability, rather lots of information on how to use EDR.

Questions:

1. When a device has been onboarded to Defender for Endpoint, does this automatically mean that EDR is active?
2. Is there any other configuration that needs to proceed in order to enable the EDR component/capability after onboarding is complete, that is not related to another component or capability (with exception of EDR block mode)?

Note that I am focused on configuration and implementation, rather than using.

There appears to be a lot of overlap between components and capabilities. I am guessing that you will get better data out of EDR when other components/capabilities are enabled/configured, and we would certainly look to do this, however I am not sure if I am missing anything here. From what I can see, when you have onboarded a device to Defender for Endpoint, you simply "have EDR".

[1] https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/deployment-strategy?view=o365-worldwide
[2] https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/deployment-phases?view=o365-worldwide
[3] https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/onboarding?view=o365-worldwide
[4] https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response?view=o365-worldwide

Many thanks,

Answer 1

Hi Dmease,
You're on the right track.
Some thoughts:

• the default config is a safe start so it gets you deployed fast.
• if you enable any other advanced settings in the defender UI think of them as global settings.
• when you're ready to be more granular, go to Intune and begin creating groups and custom configurations for each group. Base templates are provided to get you started.
• if you see noisy alerts use the exceptions feature to tune them out.
• also consider enabling some of the ASR rules via Intune or powershell.
• use an attack simulation tool like Atomic Red Team to test/validate your rules.

Answer 2

Cheers David,

Just to clarify, I am aware of other capabilities, however when trying to draw up an action plan, other capabilities will be considered separately, ie ASR out of scope for current discussion purposes.

When I look at InTune, if I go to Endpoint Security | Manage | Endpoint Detection and Response, and create a new policy, the only settings I can really alter are in relation to:

• Sample Sharing
• Telemetry Reporting Frequency

With respect to your list above:

• What advanced settings am I missing in Defender UI that relate specifically to EDR and not another capability (if they relate to another capability, the configurations will be considered under the planning for that capability)
• For base templates, is there anything that I am missing (with regard to EDR rather than other capabilities)? If base templates is referring to Device Configuration Profiles, if I use an Endpoint Protection template (Win 10 and later), there are many options relating to other capabilities, but none specifically to EDR?
• Would noisy alerts come from just enabling EDR, or are we assuming that other capabilities have been enabled/configured?
• For attack simulation, I am assuming that this comes after enabling other capabilities

My main point here, is ultimately to get EDR up and running, you onboard to Defender, and select a couple of options. Anything else is related to other Defender for Endpoint capabilities (EDR capability can be used to tune further, however tuning is more likely after other capabilities are enabled/configured).

Does this make sense? In the MS deployment strategy [1], EDR is listed as priority 1 under "Service adoption order" - from what I can see, when devices are onboarded to Defender, EDR has technically already been adopted, and there are only a couple of options to tweak (that do not fall under remit of TVM, NGP or ASR).

I am assuming that using EDR without other capabilities, whilst obviously not giving full value, gives some value due to the fact that telemetry data is still gathered?

Cheers,

[1] https://download.microsoft.com/download/5/6/0/5609001f-b8ae-412f-89eb-643976f6b79c/mde-deployment-strategy.pdf